CVE-2024-21539

HIGH

Eslint Plugin-kit < 0.2.3 - Denial of Service

Title source: rule

Description

Versions of the package @eslint/plugin-kit before 0.2.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by exploiting this vulnerability.

References (2)

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-ESLINTPLUGINKIT-8340627

[Patch] https://github.com/eslint/rewrite/commit/071be842f0bd58de4863cdf2ab86d60f49912abf

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0021

EPSS Percentile 43.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1333 CWE-770

Status published

Products (2)

eslint/plugin-kit 0 - 0.2.3npm

n/a/@eslint/plugin-kit < 0.2.3

Published Nov 19, 2024

Tracked Since Feb 18, 2026